Under present circumstances, due to the corona virus Covid-19, new situations arise in many workplaces as colleagues are working from home, meetings are canceled and suppliers and public authorities are working with reduced staff. These new situations give rise to new questions regarding the security and the processing of personal data, both as relates to a company’s clients, suppliers and business partners but also as relates to a company’s employees.
We have written this newsletter in order to get to the bottom of some of the most frequently asked questions that are being asked by our clients and business partners about the present situation from a GDPR perspective.
Employers’ responsibility for the employees’ personal data
Due to Covid-19, companies are being subjected to new challenges relating to companies’ responsibility for the personal data of the employees. Personal data that concerns the health of a data subject is considered a special category of personal data. As a main rule, the processing of such special categories of personal data is prohibited by the GDPR. Employers, however, are exempt from the prohibition and may process special categories of personal data if the processing is necessary in order for the employer to carry out its obligations in the field of employment, social security and social protection law. If an employee has contracted Covid-19, the company, as the employer, must decide if and how such information can be processed. It is not, for example, advisable to share information about an employee who has been infected by Covid-19 with clients or others. It is better in these cases to simply state that the employee cannot be reached or that the employee is working from home.
Information about an employee who has “self-quarantined”, i.e. that the employee is working from home instead of from the office as a precaution, is not considered as information pertaining to the person’s health and is not considered a special category of personal data. Information regarding an employee who has been quarantined according to the Swedish Communicable Diseases Act (Swe: Smittskyddslagen) on the other hand is probably considered information about the employee’s health and as such a special category of personal data that can only be processed by an employer if the processing is exempt from the main rule, i.e. if the processing is necessary in order for the employer to carry out its obligations in the field of employment, social security and social protection law.
Security concerns when working outside of the office
In addition to companies’ responsibility for the processing of employees’ personal data, the present circumstances bring certain security risks to light, mainly relating to the fact that many are now working from home as opposed to working in the office. Below, we have listed some things that are important to keep in mind as you move your workplace from the office into your home or some other venue.
If you or your company have any questions relating to the GDPR and the corona virus or any other personal data related questions, do not hesitate to contact our GDPR-expert Marcus Appeltofft at +46 (0)733-744053 or at marcus.appeltofft@norelidlaw.com.
The above information published by Norelid Advokatbyrå and/or its employees is only to be considered general information and does not constitute, nor should it be used as, professional legal advice. There is a risk that the information is not complete or not entirely updated. Any use of the information is at the risk of the user.